To Configure
a RADIUS ServerYou can configure up to three authentication servers (RADIUS, SecurID, and LDAP) on a security device.
1. Enter the necessary information:
Name: Enter a name for the auth server. (The only predefined auth server is “Local”.)
IP/Domain Name: Enter the IP address or domain name of the server.
Backup1: Enter the IP address or domain name of a primary backup server.
Backup2: (RADIUS and LDAP) Enter the IP address or domain name of a secondary backup server.
Timeout: Enter the timeout value for the server
Forced Timeout: Specifies the time, in minutes, after which access for the authenticated user is terminated. The auth table entry for the user is removed, as are all associated sessions for the auth table entry. Forced timeout behavior is independent of idle timeout setting.
The default is 0 (disabled), the range is 0 to 10000 (6.9 days).
Account Type: Select one or more of the following types of users: Auth, L2TP, Admin, XAuth, or 802.1X.
Note: When you select the Admin type, you cannot select any other types of users. Selecting 802.1X specifies that the server configuration uses only 802.1X protocol for wireless connectivity between the device and the authentication server.
Username: Specifies a domain name for a particular auth server, or a portion of a username from which to strip characters. If you specify a domain name for the auth server, it must be present in the username during authentication.
The device uses a separator character to identify where stripping occurs. Stripping removes all characters to the right of each instance of the specified character, plus the character itself. The device starts with the right most separator character.
The parameters for this feature are as follows:
Stripping Separator is the character separator.
Occurring is the number of character separator instances with which to perform the character stripping.
If the specified number of separator characters (Occurring) exceeds the actual number of separator characters in the username, the command stops stripping at the last available separator character.
Note: The device performs domain-name matching before stripping.
Failover Revert Interval: This feature specifies the interval (expressed in seconds) that must pass after an authentication attempt, before the device attempts authentication through backup authentication servers. When an authentication request sent to a primary server fails, the security device tries the backup servers. If authentication via a backup server is successful, and the revert-interval time interval has elapsed, the device sends subsequent authentication requests to the backup server. Otherwise, it resumes sending the requests to the primary server. The range is 0 seconds (disabled) to 86400 seconds. This feature applies to RADIUS and LDAP servers only.
2. Select and configure the type of Auth server: RADIUS, SecurID, or LDAP.
Select RADIUS to configure a RADIUS server to be an auth server.
RADIUS Port: Enter the port number on the RADIUS server to which the security device sends authentication requests. The default port number is 1645.
Retry Timeout: Enter the length of time in seconds that the security device waits between authentication retry attempts. The default value is 3 seconds.
Shared Secret: Enter a password for the NetScreen device and the RADIUS server to use to encrypt the transactions they exchange.
Note: For a RADIUS server to support such security-specific attributes as admin privileges, user groups, and remote L2TP and XAuth IP address, and DNS and WINS server address assignments, you must load a RADIUS dictionary file that defines these attributes onto the RADIUS server. For more information on the RADIUS type of server, see RADIUS Server.
Zone Verification: Select to verify the zones the user is a member of and the zone configured on the port.
An authentication check can include support for zone verification. Enabling this option requires the specified RADIUS server to support RADIUS VSA enhancement. Authentication is allowed only if the zone configured on the port is a zone that a user is a member of.
Select SecurID to configure a SecurID server to be an auth server.
Client Retries: Enter the number of times that the SecurID client (that is, the security device) tries to establish communication with the SecurID ACE server before aborting the attempt.
Client Timeout: Enter the length of time in seconds that the security device waits between authentication retry attempts. The default value is 5 seconds.
Authentication Port: Enter the port number on the SecurID ACE server to which the security device sends authentication requests. The default port number is 5500.
Encryption Type: Enter the algorithm to use for encrypting communication between the security device and the SecurID ACE server—either DES or SDI.
Use Duress: When this option is enabled, and a user enters an incorrect PIN number, the security device sends a signal to the SecurID ACE server, indicating that the user is performing the login against his or her will; that is, while under duress. The SecurID ACE server permits access once, and then it denies any further login attempts by that user until he or she contacts the SecurID administrator. Duress mode is available only if the SecurID ACE server supports this option.
Note: For more information on the SecurID type of server, see SecurID Server.
Select LDAP to configure an LDAP server to be an auth server.
LDAP Port: Enter the port number on the LDAP server to which the security device sends authentication requests. The default port number is 389.
Note: If you change the LDAP port number on the security device, also change it on the LDAP server.
Common Name Identifier: Enter an identifier which the LDAP server uses to identify an individual entered in a LDAP server. For example, an entry of “uid” means “user ID” and “cn” for “common name”.
Distinguished Name (dn): Enter the path the LDAP server uses before using the common name identifier to search for a specific entry. (For example, c=us;o=juniper, where “c” stands for “country”, and “o” for “organization”.)
Note: For more information on the LDAP type of server, see LDAP Server.
3. Click OK to save your settings.